gh-secrets-sync

module

v0.1.0 Latest Latest Go to latest Published: Apr 29, 2026 License: MIT

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/brpaz/gh-secrets-sync

Links

Open Source Insights

README ¶

gh-secrets-sync

Github CLI extension that syncs GitHub secrets across different repositories.

🎯 Motivation

I faced a few situations where I have common secrets that I want to deploy and keep in sync across multiple repositories. For example, GitHub Apps bot tokens, or tokens to interact with external services like NPM. When having a few repos that requires the same token, having to manually set it up in each repository is a pain, and it's easy to forget to update it when the token rotates.

That´s why I decided to build this tool, to simplify this process and have a centralized source of truth that can be easily updated and propagated to all repositories that need it.

🗃️ Features

Secrets are stored in a local configuration file.
Commands to add, update, and delete secrets from the configuration file, simplify the management process.
Sync command to propagate changes to all repositories that are using the secrets, ensuring that all repositories are always up-to-date with the latest secrets.

🚀 Getting Started

Installation

You need the GitHub CLI installed first. Then install gh-secrets-sync:

gh extension install brpaz/gh-secrets-sync

Usage

After installing the extension, run gh secrets-sync to get started. A config file is created at ~/.config/gh-secrets-sync/secrets.yaml if it doesn't exist. This is where you will manage your secrets and their associated repositories.

[!WARNING] Secrets are stored in the config file as plain text. Keep this file secure (permissions are set to 0600 by default).

Configuration File

The config file has the following structure:

secrets:
  - name: "NPM_TOKEN"
    value: "secret_value"
    repositories:
      - "owner/repo1"
      - "owner/repo2"

Workflow: add secrets to the config file using gh secrets-sync add, then run gh secrets-sync sync to push them to GitHub.

Commands

# Add a new secret
gh secrets-sync add --name NPM_TOKEN --value s3cr3t --repos myorg/api,myorg/web

# List all configured secrets
gh secrets-sync list

# Update an existing secret
gh secrets-sync update --name NPM_TOKEN --value newvalue

# Delete a secret
gh secrets-sync delete --name NPM_TOKEN

# Sync all secrets to their repositories
gh secrets-sync sync

# Open config file in editor
gh secrets-sync config

Options

All commands support these global options:

Flag	Description
`--config`	Path to config file (default: `~/.config/gh-secrets-sync/secrets.yaml`)
`--version`	Show version info

🤝 Contributing

All contributions are welcome. Please check CONTRIBUTING.md for details.

🫶 Support

If you find this project helpful and would like to support its development, there are a few ways you can contribute:

👱 Contributors

Bruno Paz - Creator and maintainer

❤️ Acknowledgements

📃 License

Distributed under the MIT License. See LICENSE file for details.

📩 Contact

📧 Email: oss@brunopaz.dev
🐞 Issues: GitHub Issues
🖇️ Source: https://github.com/brpaz/gh-secrets-sync

Directories ¶

Path	Synopsis
cmd
gh-secrets-sync command
internal
app
cmdutil Package cmdutil provides small helpers shared across CLI command packages.	Package cmdutil provides small helpers shared across CLI command packages.
commands/add
commands/configeditor
commands/delete
commands/list
commands/root
commands/sync
commands/update
config
gh
testutils Package testutils provides shared test helpers used across command packages.	Package testutils provides shared test helpers used across command packages.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL